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Capitalizing on previous encodings and formal developments about nominal calculi and type systems, 
we propose a weak Higher-Order Abstract Syntax formalization of the type language of pure System 
F <: within Coq, a proof assistant based on the Calculus of Inductive Constructions. 

Our encoding allows us to accomplish the proof of the transitivity property of algorithmic subtyp- 
ing, which is in fact the first of the three tasks stated by the POPLmark Challenge, a set of problems 
that capture the most critical issues in formalizing programming language metatheory. 



1 Introduction 



It is well known that formal proofs about programming language metatheory and semantics are long and 
tedious, and that their complexity is essentially due to the management of the details; actually, it may 
happen that small mistakes or missed subtle cases cause to invalidate large amounts of work, with this 
effect that worsens as languages scale. Automated proof assistants can help to ease the problem, with 
several potential benefits: it may be simpler to reuse work, to keep definitions and proofs consistent, to 
ensure a firm relationship between theory and implementation. Nevertheless, it is apparent that computer- 
aided formal reasoning is not commonplace, even for programming language designers and researchers. 
Therefore, the POPLmark Challenge [ 3 ] has proposed a framework and a set of benchmarks for measur- 
ing the progress in the area, envising a future in which research papers on programming languages will 
be routinely accompanied by an electronic appendix with machine-checked proofs. 

The Challenge concerns a set of problems about the metatheory of a variant of the System F <: 11331 . 
a.k.a. polymorphic, or second-order, lambda calculus. This choice has the intent to pick out some features 
of programming languages that are known to be difficult to formalize; in such a way, the problematic 
aspects can be exploited to compare alternative technologies that have been successfully experimented 
on specific areas. In detail, the Challenge concentrates on variable binding, complex recursion and 
induction, definition and proof reuse, and experimentation of generated sample programs. 

In this paper we focus on the first task among the three ones in the Challenge suite, by considering 
System F <: 's type language. Essentially, such an object system features variable binding and subtyping. 
In fact, we adopt a methodology for encoding and reasoning formally on System F <: which takes most 
advantage of the features provided by logical frameworks based on type theories, and carry out our effort 
within the Coq implementation |[38l of the Calculus of Inductive Constructions (CC Ind ) |[L3ll3Tll . 

A common problem is that encoding and reasoning about a formal system adds further complexity 
to already cumbersome judgments and proofs. In order to be practically useful, therefore, it is important 
that the formalization is as clean and compact as possible: ideally, most (if not all) details implicitly taken 
for granted working with paper and pencil should be automatically provided by the formal development. 
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A central point pursued by the Challenge is an efficient management of inductively-defined structures 
with binders. To this end, we employ Higher-Order Abstract Syntax (HOAS) |[T9l[32l . an approach that 
uses binders in the metalanguage to represent binders in the object language, thus providing an high 
level of abstraction. More precisely, since we work in a type theory with induction, we use weak HOAS 
11241 : binders are encoded as second-order term constructors that take as arguments functions over a 
parametric, open {i.e., non-inductive) type of variables. In this way, while we keep benefiting from 
inductive definition and proof principles, we gain the advantage that a-conversion of abstractions and 
capture-avoiding substitution of variables for variables are automatically ensured by the metalanguage. 

The main drawback of (weak) HOAS in CC Ind (and Coq) is that it is difficult to reason about the 
encodings, because there is a limited support for higher-order recursion and induction. To overcome this 
problem, we adopt the Theory of Contexts (ToC) l23l . a small set of axioms which can be added to CC Ind 
to represent some basic and natural properties of variable and term contexts. It is apparent that we lose 
full constructivity by using axioms; on the other hand, the ToC requires a very low mathematical and 
logical overhead for porting to the formal setting the arguments on paper. 

In the end, by exploiting the above tools, we fulfill the first task of the Challenge: that is, we prove 
the transitivity and the narrowing properties of algorithmic subtyping for System F <: . We believe that 
our result is relevant because the present one is the first weak HOAS approach to the Challengd^] hence 
it provides extra feedback about the two issues of representing and reasoning about binders and carrying 
out formal proofs by mutual, nested structural induction on System F< : 's type language. 

In the next two sections, we recap the first task of the Challenge and we rephrase it on paper as a 
preliminary step towards its formal treatment in CC Ind . In the core Section [4] we present and discuss the 
formalization itself (the Coq code is available at the web appendix of this paper lfT2l ). and in the final 
sections we connect it to the related literature and to the Challenge metrics of success. 

2 Algorithmic subtyping in the System F <: 

The POPLmark Challenge [3] addresses the metatheory of a call-by-value variant of System F <: , a 
calculus of moderate scale. The first part of the Challenge, which we deal with in the present paper, 
focuses just on the type language, that we consider in its pure version here, i.e., without record types. 

The syntax of types features variables (taken, as usual, from an infinite set of distinct symbols), the 
constant Top (the supertype of any type), functions, and bounded quantification {i.e., universal types): 

Type: S, T ::= X type variable Top maximal type 

S — >T function type \/X<:S.T universal type 

Universal types, which are the individual characteristic of F <: , arise by combining polymorphism and 
subtyping: on the one hand types such as VX. T are intended to specify the type of polymorphic functions; 
on the other hand bounded universal quantifiers such as \/X<:S carry subtyping constraints. Actually, 
the universal type \/X<:S. T has the effect of binding the occurrence of X in T, but not in S. 

The type environments are formed by subtyping constraints too, involving type variables and types: 

Env : r ::= empty type environment 

r, X<:T type variable binding 

Type variables within environments have to respect a scoping discipline: only fresh variables can be 
introduced, that is, X^dom{T); moreover, such variables cannot occur free in the type they are bound to, 

'Among the proposed solutions collected by the Challenge web page |4|, our encoding is also the first HOAS one in Coq. 
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i.e., X<£fv(T); finally, the variables that appear free in T have to be already collected in the environment 
r. Hence, a typical two-variable well-scoped environment is X<:Top, Y<:X^ 

Algorithmic subtyping, T h S<:T, captures the intuition that "S is a subtype of T under assumptions 
F', which means that "an instance of S may be safely used wherever an instance of T is expected". It is 
defined by induction and it is intended to concern only well-scoped types (i.e., when T h S<:T is derived, 
all the type variables that occur free in S and T have to be in the domain of T): 

X<:U eT FhU<:T 

(Top) (Refl) (Trans) 

FhS<:Top ThX<:X FhX<:T 



rh7i<:Si rhS 2 <:T 2 rhTi<:5i T,X<:T { h S 2 <:T 2 

(Arr) {All) 

rh5i ^S 2 <: Ti -»• T 2 r\-VX<:Si. S 2 <:VX<:Ti. T 2 

The Challenge focuses on the algorithmic version of subtyping because its ultimate goal is the ex- 
perimentation of real implementations of the formalized definitions. On the other hand, being syntax- 
directed, algorithmic subtyping is easier to reason with than its equivalent, more familiar declarative 
presentation, where the rules (Refl) and (Trans) are replaced by the following ones: 

X<:U eT ThS<:T FhT<:U 

(1) (2) (3) 

FhX<:U ThS<:S FhS<:U 

In fact, the first task of the Challenge addresses the relationship between the two subtyping versions, 
as it consists to prove that the transitivity property (3) is a derivable property within the algorithmic 
system (the same holds for reflexivity (2), which is not problematic). 

The proof of the transitivity is challenging essentially in two respects: it has to be proved together 
with the narrowing property, and such a proof requires a mutual and nested induction proof argument. 

Proposition 1 (Transitivity and Narrowing). IfThS <: QandFh Q <: T, then T h S <: T. 
IfF,X<:Q,Ah M <:N andTV- P <: Q, then F,X<:P, A h M <: N. 

Proof. By induction on the structure of the type Q. 

The proof for transitivity proceeds by an inner induction on the structure of the derivation T h S < : Q, 
with a case analysis on the final rule of such a derivation and on that of the second hypothesis r h Q <: T. 
We illustrate the crucial case when both the derivations end with an application of the (All) rule: 



rh£i<:Si r,X<:Gi h S 2 <: Q 2 Th^^Gi r,X<:7i h Q 2 <: T 2 

(All) (All) 

rhS = VX<:Si.S 2 <:VX<:Q { .Q 2 = Q TV- Q = VX<:Q { .Q 2 <: MX<:T\.T 2 = T 

To conclude Th \/X<: S i.S 2 <:\/X<:Ti.T 2 via.the (All) rule, two premises are needed: first,rhri <:5i 
may be derived by induction hypothesis from the third and the first subderivations; however, the induction 
hypothesis cannot be applied to the second and fourth subderivations (to deduce F,X<:Ti h S2 <: T 2 ), 
because their environments are different. Hence, the narrowing property, i.e., the outer induction hy- 
pothesis (being Q\ structurally smaller than Q) has to be exploited, to derive r,X<:7\ h ^2 <: Q 2 from 
the second and the third subderivations. Then, to construct the required derivation F,X<:Ti h 52 <: T 2 

2 We will give formal definitions of the mentioned concepts (well-known, though) in Section 3 



112 



A weak HOAS approach to the POPLmark Challenge 



from this last hypothesis and the fourth subderivation, it is necessary to apply again the outer induction 
hypothesis (the transitivity itself, with Q2 structurally smaller than Q). 

Similarly, the proof for narrowing proceeds by an inner induction on the structure of the derivation 
V,X<:Q, A h M <: N, again with a case analysis on the final rule applied. The treatment of this "twin" 
property is even subtler when the last rule applied is (Trans), and M is exactly X: 



T,X<:Q,AhQ<:N 

(Trans) 

F,X<:Q,AhM = X <:N 

Now, r,X<:P,A h Q <: N may be derived by induction hypothesis, and F,X<:P,A h P <: Q via a 
straightforward weakening property. This time, the outer induction hypothesis has to be exploited with 
the same Q; that is, the transitivity property is used to deduce F,X<:P, A \- P <:N from the two inferred 
derivations. In the end, an application of the (Trans) rule allows to obtain T,X<:P, A h X <:N. 

The present proof is reported in 01 1331 . albeit not in a fully detailed fashion. □ 

We notice finally that the presentation of System F <: |3], that we have displayed and commented 
on, leaves implicit those aspects that form the core of the Challenge: a-conversion and capture-avoiding 
substitution (as in standard practice), and the well-scoping discipline (on purpose). 

3 An alternative formulation of System F <: 

We give now an alternative presentation of System F <: 's subtyping, making explicit some concepts that 
have been left implicit in the original formulation reported in Section[2] While carrying out this step, we 
are mainly inspired by the features provided by logical frameworks based on type theory. 

We use here the same syntax for types as in Section [2j on the other hand, we perform small changes 
on the subtyping system, and we prove that the new version is equivalent to the original one. The 
formalization in CC Ind of the resulting system will be then discussed in the following section. 

We manage the type environment as a concrete pair-component collection, thus pursuing a sequent- 
style encoding of subtyping; consequently, we state formally two concepts related to the environment 
itself. First, we define the closure of types T w.r.t. environments T (a sort of compatibility) via the 
relation closed C TypexEnv, to state that the free variables of T have to appear in the domain of T. 
Further, the well-formedness of environments ok C Env prescribes that, when a new pair (X,T) makes 
an environment T grow, X must both be fresh w.r.t. F and not appear in T, and T has to be closed w.r.t. T. 

In what follows, we write fv(T) for the type variables occurring free in a type T, and overload the 
symbols "e, ^" in a way which is clear from the context. 

Definition 1 (Closure, Well-formedness). For T=(X\, T\ ),..., (X n , T n ) an environment, T a type, we 
define the domain ofT and the predicates closed and ok as follows: 

dom(T) ={X h ...,X n } closed (T,T) = VF. Yefv(T) =>- 3U. (Y,U)eT 

ok(F) X<£dom(T) closed(T,T) 

(ok-®) (ok-pair) 

ok(<d) ok(T,(X,T)) 
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We notice that we do not need the condition X^fv(T) among the premises of the (ok- pair) rule, be- 
cause it can be derived from the second and the third hypotheses. Finally, the main subtype judgment T h 
S<:T is rendered as sub(F,S, T), where sub is a predicate defined on 3-tuples, sub C EnvxTypexType. 

Definition 2 (Subtyping). If T is a type environment, S,Si,S 2 ,T,Ti,T 2 ,U types, then the predicate sub is 
defined by induction, as follows: 

ok{T) closed(S,T) ok(T) (X,U) GT 

(top) (var) 

sub(F, S, Top) sub(F, X, X) 

(X,U)eT sub(r,U,T) sub(F,T h Si) sub(T,S 2 ,T 2 ) 

(trs) (arr) 

sub{T, X, T) sub(T, S 1 -^S 2 , 7Wr 2 ) 

sub(T, T u Si) for all X, ok(T, (X,7i)) sub((T, (X,7i)), S 2 , T 2 ) 

(all) 

sub(F, VX<:Si.S 2 , VX<:Ti.T 2 ) 

It is apparent that our presentation of subtyping is equivalent to the original one of Section |2j in- 
formally arguing for such an adequacy, we remark that we are using the same type environments and 
that we have formalized their well-formedness and a kind of compatibility between the types and the 
environments themselves, two concepts which are implicit in the POPLmark Challenge statement. 

To prove formally such an adequacy, we have to relate the subtyping definitions in the two settings; 
this requires a preliminary lemma, to connect each other the three judgments defined in this section. In 
the following, given an environment T, permiT) stands for a permutation of its components. 

Lemma 1 (Auxiliary judgments). For all F<EEnv, and S,T<EType: 

1) sub(T,S,T)=>ok{T); 

2) sub(F,S, T) => closed(S,V) Aclosed(T,r). 

Proof. 1) By induction on the structure of the derivation of sub(F, S, T). 2) By induction on the structure 
of the derivation of sub(F, S,T), and point 1 . □ 

Theorem 1 (Adequacy). For all T^Env, and S, T<EType: sub(F,S, T) if and only ifY h S <:T. 

Proof. By structural induction on the hypothetical derivations, and Lemma [T] □ 

Lemma 2 (Environment). For all r,Ae£nv, andX,P, Q,S, T<EType: 

1) Well-formedness: ok(F, (X, 0, A) Asub(F,P, Q) ok(T, (X,P),A); 

2) Permutation: sub(T,S,T) Aok(perm(T)) sub(perm(T),S,T); 

3) Weakening: sub(T,S,T) Aok(F,A) =>• sub((T,A),S,T). 

Proof. 1) By induction on the structure of A, and Lemma [T]2. 2) By induction on the derivation of 
sub(F,S, T), and Lemma[T]l. 3) By induction on the derivation of sub(F,S, T), and point 2. □ 

We are ready now to address the first Challenge, by ensuring that our version of subtyping fulfills the 
refiexivity, transitivity and narrowing properties. 

Proposition 2 (POPLmark Challenge, 1A). For allF,AeEnv, and P,Q,M,N,S,TeType: 
Refiexivity ok(T) Aclosed(S,T) => sub(T,S,S); 
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Transitivity sub(T,S,Q) Asub(T,Q,T) sub(F,S,T); 

Narrowing sub((T, (X,Q),A),M,N) Asub(T,P,Q) => sub((T, (X,P),A),M,N). 

Proof. Reflexivity By induction on the structure of S. 

As shown in Proposition [T] Transitivity and Narrowing are proved simultaneously by induction on 
the structure of Q; we point out here some extra details, which depend on the different cases of Q. 

Transitivity Q=Top: via Lemma [Tj2. Q=Y: by inner induction on the derivation of sub(F,S, Y). 
Q=U^-V: by inner induction on the derivation of sub(F,S, U— >V), Lemma[T]2, and the outer induction 
hypothesis, i.e., the transitivity statement itself twice, with U and V, which are structurally smaller than 
Q. Q=\/Y<:U .V: by inner induction on the derivation of sub(T,S,VY<:U.V), Lemma[T]2, and the outer 
induction hypothesis, this time both the narrowing statement with U and the transitivity with V, where, 
again, both U and V are structurally smaller than Q (see also Proposition^. 

Narrowing All the cases require an inner induction on the derivation of sub((T, (X,Q),A),M,N), 
and Lemmas [T]l, [2] 1. When the (trs) rule is matched by such an inner induction, all the cases but the 
Q=Top one need the application of the outer induction hypothesis, i.e., the transitivity statement with 
the starting Q (see also Proposition [TJ. Moreover, when (trs) is matched, the Q=Top case requires the 
Lemma[T]2, and the remaining cases the Weakening property (Lemma|2]3). □ 



4 Formalization of System F <: in CC ma 

When encoding a formal system in a type-theory based logical framework (LF), one of the most tedious 
and time-consuming tasks is that of representing variables and the related machinery of a-conversion and 
capture-avoiding substitution. Traditional solutions like, e.g., de Bruijn indices and first-order variables, 
force the user to spend a lot of time in formalizing and proving a huge number of properties about free 
and bound occurrences of variables, of a-conversion, and involved concepts. Often, such development 
greatly outweighs over the core part of the metatheory's formalization. 

An alternative approach, known as Higher-Order Abstract Syntax (HOAS) [19l[32]], has been intro- 
duced for overcoming such an overhead. Its gist amounts to use the metavariables of the LF to represent 
the variables of the object language; in such a way, a-conversion and capture-avoiding substitution are 
completely delegated to the framework: in fact, binders are modeled by functional constructors, and 
substitution is modeled by functional application EJHH. Despite this apparent improvement, it is well 
known (see, e.g., |[T4ll28lO that HOAS does not cope well with inductive types, yielding several problems: 

• Impossibility to adopt "full" HOAS representation of binders: functional types like (T — > T) — > 
T violate the positivity constraints required by inductive constructors (thus, it is not possible to 
delegate the substitution of terms into terms to the metalevel). 

• Lack of suitable higher-order induction/recursion principles, which would allow to program with 
and reason about functional terms. 

• Impossibility to use inductive types, e.g., Var, to represent variables: otherwise, higher-order con- 
structors (like (Var — > T) — > T) could generate "exotic" parasite terms, i.e., terms not correspond- 
ing to any term of the object language. 

• Difficulty or impossibility to reason at the object level about the concepts and mechanisms dele- 
gated to the metalanguage. 
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Several attempts have been made to reconcile binding constructs with induction principles, also via 
the design and implementation of new logics (e.g., Nominal Logic HO [S3 and FOX AV 11301 1 Although 
these solutions provide with advantages and support for a suitable representation of variables and binders, 
they require the user to switch to new and significantly different frameworks, to learn them from scratch, 
and reimplement/translate the preceding work. 

In this paper, we resort to a more "conservative" approach instead, which has been already exploited 
in several case studies about the encoding of process algebras, and static and dynamic semantics Il24ll25l 
[361 ELD. Actually, we introduce in the Coq implementation (38l of CC Ind type theory lfl3ll3~TTl a 
weak HOAS formalization of System F <: (Sections 4.1||4.2 1 together with a compact axiomatization of 
simple properties about variables, named the Theory of Contexts (Section|4~3]). 



4.1 Encoding of syntax: types and type environments 

In the following, Var is the non-inductive type representing System F <: 's (type) variables; therefore we 
can represent in Coq variables like X,Y, ... with metalanguage variables X, Y, ... of type Var. Next, we 
define the inductive type Tp to represent System F <: 's types, with four constructors for the maximal type, 
variable^] function and universal types (compare with Section 0): 

Parameter Var: Set. 

Inductive Tp: Set := var: Var -> Tp | top: Tp 

I arr: Tp -> Tp -> Tp I fa : Tp -> (Var -> Tp) -> Tp. 
Coercion var: Var >-> Tp. 

This encoding, via a parametric type Var for variables and an inductive type Tp for terms of the object 
system, is in fact a weak HOAS encoding. The constructor fa, which is higher-order (as it takes as sec- 
ond argument a function from Var to Tp), allows us to represent correctly System F <: 's binder "V", by 
delegating to the Coq system the management of the bound variable X in the expression \/X<:S.T. To be 
more precise, if we denote with S the encoding of S and with T [X] the encoding of T (where the occur- 
rence of the encoded bound variable X, corresponding to X, is explicitly denoted by the square brackets), 
the representation of \/X<:S.T is given by (fa S (fun X : Var => T [X] ) ) . Hence, the variable X is 
bound by the metalanguage functional construct fun; it follows that a-conversion and capture-avoiding 
substitution of variables for variables are automatically dealt with by the metalanguage of Coq. 

As remarked in Section [3] in this paper we present an "explicit" encoding of type environments T; 
these are encoded as lists of pairs, whose components belong to the types Var and Tp, respectively: 

Definition envTp: Set := (list (Var * Tp) ) . 

This choice is quite intuitive and natural, except for the fact that now, obviously, the environments grow 
"toward the left" (i.e., the head of the list), while environments "on paper" grow toward the right. 

In order to reason about variables, types and type environments, we need a set of auxiliary predicates 
that formalize the concepts defined in Section [3} i.e., the (non)occurrence of variables into types, the 
freshness of variables/presence of pairs inside environments, and the well-scoping of types w.r.t. the 
environments themselves. First, we introduce the inductive predicates is in and not in: 

Inductive isin (X:Var): Tp -> Prop := isin_var: isin X X 

I isin_arr: forall S T:Tp, isin X S \/ isin X T -> isin X (arr S T) 



3 Notice that var is declared as a coercion operator, which avoids to type explicitly the constructor, where a variable should 
stand for a term of type Tp. 
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I isin_fa : forall S:Tp, forall U:Var->Tp, 

isin X S \/ (forall Y:Var, ~X=Y -> isin X (U Y)) -> isin X (fa S U) . 
Inductive notin (X:Var): Tp -> Prop := notin_top: notin X top 
I notin_var: forall Y:Var, ~X=Y -> notin X Y 

I notin_arr: forall S T:Tp, notin X S -> notin X T -> notin X (arr S T) 
I notin_fa : forall S:Tp, forall U:Var->Tp, 
notin X S -> (forall Y:Var, ~X=Y -> notin X (U Y)) -> notin X (fa S U) . 

The intuitive meaning of (isin X T) is that the variable X occurs free in T, X*Efv(T) in Section [3] 
while (notin X T) stands for the opposite concept, X^fv(T). The two definitions are syntax-driven, 
with just one introduction rule for each constructor of type Tp (apart from the top case for isin). 

Concerning the environments, we formalize the freshness of a variable X^dom(T) (Gf resh), the 
presence of a constraint (X, T)^F (isinG), and the closure of a type closed(T,F) (Gclosed) w.r.t. them: 

Inductive Gfresh (X:Var): envTp -> Prop := GfVoid: Gfresh X nil 
I GfGrow: forall G:envTp, forall Y:Var, forall T:Tp, 

Gfresh X G -> ~X=Y -> Gfresh X (cons (Y,T) G) . 
Inductive isinG (X:Var) (T:Tp): envTp -> Prop := 

checkG: forall G:envTp, forall y:Var, forall U:Tp, 

(X=Y A T=U) \/ isinG X T G -> isinG X T (cons (Y,U) G) . 
Definition Gclosed (T:Tp) (G:envTp): Prop := 

forall X:Var, (isin X T) -> exists U:Tp, isinG X U G. 

We can then state the inductive formulation of the well-formedness of environments: 
Inductive okEnv: envTp -> Prop := okVoid: okEnv nil 

I okGrow: forall G:envTp, forall x:Var, forall T:Tp, 

okEnv G -> Gfresh X G -> Gclosed T G -> okEnv (cons (X,T) G) . 

4.2 Encoding of the subtyping relation 

The representation of the subtyping relation, sub in Section[3] follows closely its counterpart on the paper, 
apart from the constructor for the universal type sub_f a, which is accommodated via an hypothetical 
premise about a fresh, locally quantified variable, which makes the encoding higher-order: 
Inductive subTp: envTp -> Tp -> Tp -> Prop := 

sub_top: forall G:envTp, forall S:Tp, 

okEnv G -> Gclosed S G -> subTp G S top 
I sub_var: forall G:envTp, forall X:Var, forall U:Tp, 

okEnv G -> isinG X U G -> subTp G X X 
I sub_trs: forall G:envTp, forall X:Var, forall U T:Tp, 

isinG X U G -> subTp G U T -> subTp G X T 
I sub_arr: forall G:envTp, forall SI S2 Tl T2:Tp, 
subTp G Tl SI -> subTp G S2 T2 -> 
subTp G (arr SI S2) (arr Tl T2) 
I sub_fa : forall G:envTp, forall SI Tl:Tp, forall S2 T2:Var->Tp, 
subTp G Tl SI -> 

(forall X:Var, okEnv (cons (X,T1) G) -> 

subTp (cons (X,T1) G) (S2 X) (T2 X)) -> 
subTp G (fa SI S2) (fa Tl T2) . 
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4.3 The Theory of Contexts 

The Theory of Contexts (ToC, ll23l HI) is a type-theoretic axiomatization which has been proposed to 
give a metalogical account of the fundamental notions of variable and contexl^as they appear in HOAS. 
Moreover, when the ToC is instantiated in a weak HOAS setting, it is compatible with the recursive and 
inductive environments provided by type theory-based logical frameworks and their implementations. 

In fact, the axioms of this theory aim to reflect in the logic some fundamental and natural properties 
of object-level "term contexts" and "variables" (or "names", in some formal systems, like, e.g., process 
algebras). The main advantages of this approach are that it requires a very low mathematical and logical 
overhead, and that it can be "plugged" in several existing proof environments without requiring any 
redesign of such systems. We present now the informal intended meaning of the ToC. 

Decidability of equality over variables For any variables x and y, it is always possible to decide whether 
x = y or x 7^ y ("=" is Leibniz's equality). 

Freshness/Unsaturation For any term M, there exists a variable x which does not occur free in it (an- 
other interpretation is that there is no term containing/saturating all the variables). 

Extensionality Two term contexts are equal if they are equal on a fresh variable; that is, if M(x) = N(x) 
and x $ M(-),N(-), then M = N. 

j6 -expansion It is always possible to split a term into a context applied to a variable; that is, given a term 
M and a variable x, there exists a context N(-) such that N(x) = M and x ^ N(-). 

The instantiation process is very simple and syntax-driven. First, we state the following axiom (in 
fact the decidability is required for each type representing variables, the sole Var in our case): 

Axiom LEM_Var: forall X Y:Var, X=Y \/ ~X=Y. 

where the prefix LEM stands for Law of Excluded Middle; indeed, this is the minimum classical flavour 
that we require to reason about (free) occurrences of variables. Such assumption is very close to the 
common practice, when working on the paper with nominal systems. 

The formalization of the Freshness/Unsaturation for terms of type Tp is straightforward too: 

Axiom unsat : forall T:Tp, exists X:Var, notin X T. 

Next we have the instantiations of extensionality (tp_ext) and j3-expansion (tp_exp, ho_tp_exp). 
Notice that we need the /3 -expansion both at the level of first-order contexts (i.e., terms with one hole, 
tp_exp) and at the level of second-order contexts (terms with two holes, ho_tp_exp): 

Axiom tp_ext: forall X:Var, forall S T:Var->Tp, 

(notin_ho X S) -> (notin_ho X T) -> (S X)=(T X) -> S=T. 
Axiom tp_exp: forall S:Tp, forall X:Var, 

exists S': Var->Tp, (notin_ho X SO A S=(S' X). 
Axiom ho_tp_exp: forall S:Var->Tp, forall X:Var, 

exists S J : Var->Var->Tp, 

(notin_ho X (fun Y:Var => (fa top (S> Y)))) A S=(S' X). 

where notin_ho is a simple definition built on top of the predicate notin, stating that a variable does 
not occur in a context: 

Definition notin_ho:= fun X: Var => fun S: Var->Tp => 

forall Y: Var, ~X=Y -> (notin X (S Y)). 



4 Contexts are "terms with holes", where the holes can be filled in by variables. 
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The properties formalized by the ToC have emerged from practical reasoning about process algebras, 
and have been proved to be quite useful in a number of situation^] Ultimately, their combined effect is 
that of recovering the capability of reasoning by structural induction over contexts. We explain this fact 
by means of an individual example, about the monotonicity of the predicate isin, which is needed for 
deriving the reflexivity of the subtyping relation (see Section [44) ): 

Lemma isin_mono: forall T:Var->Tp, forall X Y:Var, ~X=Y -> (isin X (T Y)) -> 

(forall Z: Var, ~X=Z -> (isin X (T Z))). 
A direct way to prove the lemma would be by higher-order induction on the structure of T:Var->Tp; 
however, Coq does not provide such a principle. Moreover, a naive {i.e., first-order) induction on (T 
Y) does not work, since there is no way to infer something on the structure of the context T from the 
structure of (T Y) (notice that Y can occur free in T). Hence, we prove a preliminary lemma: 
Lemma pre_isin_mono : forall n:nat, forall T:Tp, (lntp T n) -> 

forall Z:Var, forall U:Var->Tp, (notin_ho Z U) -> T=(U Z) -> 
forall X Y:Var, ~X=Y -> (isin X (U Y)) -> 
forall V:Var, ~X=V -> (isin X (U V)). 
where lntp is the predicate which counts the number of constructors involved in a term of type Tp: 
Inductive lntp: Tp -> nat -> Prop := 
lntp_top : (lntp top (S 0)) 
I lntp_var : forall X:Var, (lntp X (SO)) 
I lntp_arr : forall T T' :Tp, forall nl n2:nat, 
(lntp T nl) -> (lntp T' n2) -> 
(lntp (arr T T') (S (plus nl n2))) 
I lntp_fa : forall T:Tp, forall U:Var->Tp, forall nl n2:nat, 
(lntp T nl) -> (forall X:Var, (lntp (U X) n2)) -> 
(lntp (fa T U) (S (plus nl n2))). 
Therefore, (lntp T n) states that the term T is "built" using n constructors of the inductive type Tp. 
This fact allows us to argue by complete induction on n in the proof of pre_isin_mono, thus recovering 
the structural information about T via inversion of the instance (lntp T n). So far, we can apply j8- 
expansion to infer the existence of a context T ' : Var->Tp such that T= (T ' z) , where z does not occur 
free in T ' . Then, by applying the extensionality property, we can deduce that U=T ' and, since T ' is not 
a variable but a concrete A -abstraction, we "lift" structural information to the level of functional terms. 
Such an information can be finally used to solve the current goal, isin_mono in the case. 

In order to be more concrete, let us consider the case where (lntp (T z) 1) holds. By inverting 
such an hypothesis, we get the case (among other ones) where the equality (T z)=top holds. Then, 
we apply j6-expansion (tp_exp) to top, yielding a context T' = (fun x:Tp => top) ; in particular, we 
can state that (T z)=top=(T' z), whence we infer (T z) = ((fun x:Tp => top) z). Finally, by 
means of the extensionality axiom (tp_ext), we "lift" such structural information to higher-order terms: 
namely, we deduce T= (fun x : Tp => top) , i.e., we get the structural information we need about T. 

4.4 Formal development of the POPLmark Challenge 

In this section we illustrate the formal development carried out in the Coq system in order to solve the first 
task of the POPLmark Challenge, i.e. reflexivity, transitivity (and narrowing) of subtyping (Proposition 
[2]). We start by introducing some auxiliary lemmas; the mostly used property is the following: 

5 Their consistency has been proved in 0, starting from an idea of M. Hofmann |22|. 
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Lemma Gclosed_lemma: forall G:envTp, forall S T:Tp, 

subTp G S T -> Gclosed S G A Gclosed T G. 

The informal meaning is that, if we derive (subTp GST) (under such an hypothesis we are able to 
deduce that G is a well-formed environment, Lemma [T]l of Section [3]), then all the variables occurring 
free in S and T belong to the domain of G. The proof is carried out by induction on the derivation of 
(subTp GST), using unsatG when we need a variable which is fresh w.r.t. the environment G: 

Lemma unsatG: forall G:envTp, exists X:Var, Gfresh X G. 

As the reader may guess, the proof of unsatG relies heavily upon the axiom unsat of the Theory 
of Contexts (see Section [43] >. Actually, given an environment G, the idea is just to scan the variable 
declaration list (XI, Tl), (Xn,Tn) in G, to build an arrow type (arr XI (arr . . . (arr Xn 
top) ... ) ) . Then, by eliminating unsat on this type, we can get a fresh variable not occurring into 
such type and, consequently, not appearing in the domain of G: 

Lemma domGtoT_notin: forall G:envTp, forall X:Var, 

notin X (domGtoT G) -> Gfresh X G. 

where domGtoT is a function, defined by recursion on the environment G, which builds the mentioned 
arrow type from the variables belonging to its domain: 

Fixpoint domGtoT (G:envTp):= match G with 

I nil => top | (X,T)::G' => (arr X (domGtoT G')) end. 

The proof of domGtoT_notin is performed by induction on the structure of G, using the axiom LEM.Var 
to discriminate between the occurrences of variables. 

Coming in the end to the POPLmark Challenge properties, the reflexivity requires that the type envi- 
ronment is well- formed and the type under investigation is closed w.r.t. the environment itself: 

Lemma reflexivity: forall T:Tp, forall G:envTp, 

okEnv G -> Gclosed T G -> subTp G T T. 

The proof is a straightforward induction on the structure of T, resorting to LEM_Var when it is needed to 
discriminate between free variables, and using the monotonicity of the "occurrence" predicate isin. 

Transitivity and narrowing are proved together (as on the paper), via an outer induction on the struc- 
ture of the type Q, which is then isolated in front of the two properties: 

Theorem trans_narrow: forall Q:Tp, 
(forall S:Tp, forall G:envTp, 

(subTp G S Q) -> forall T:Tp, (subTp G Q T) -> (subTp GST)) 
A 

(forall G':envTp, forall M N:Tp, 

(subTp G' M N) -> forall D G:envTp, forall X:Var, forall P:Tp, 
G'=(app D (cons (X,Q) G)) -> subTp G P Q -> 
subTp (app D (cons (X,P) G)) M N) . 

The proof of transitivity is, apart from the use of the Theory of Contexts, similar to that on the paper, via 
an inner induction on the derivation of (subTp G S Q). 

The same remark holds about the narrowing, whose management needs an inner induction on the 
derivation of (subTp G' M N), where the environment G' is Coq's list (app D (cons (X,Q) G)), 
which is built by means of the append function app. However, the narrowing requires two extra efforts. 

First, as its formulation involves a structured environment, it has been necessary to prove a series 
of technical lemmas involving Coq's lists and their relationship with the predicates Gfresh, isinG, 
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Gclosed, okEnv. In carrying out such proofs, we have taken partial advantage of Coq's built-in list 
library, especially about permutations, which are required by the Weakening property (Lemma [2] 3). 

To master the sophisticated interdependence between the outer and the inner structural inductions 
within the narrowing proof, we have exploited a slight elaboration of "modus ponens": \/A,B : Prop. A A 
(A B) A A B (where A and B are intended to play the role of transitivity and narrowing, respectively). 
In fact, when the inner induction hypothesis for narrowing matches the rule sub_trs (see the proof of 
Proposition^, the outer induction hypothesis {i.e., transitivity) has to be applied with the starting Q, not 
with a structurally smaller type. Therefore, to handle the involved cases within the outer induction (all 
but the Q=top one), we reduce to prove the transitivity alone and the narrowing with the proof context 
enriched by the transitivity additional hypothesis, instead of merely splitting the two main proofs. 

5 Related work 

At the time of writing, the POPLmark web page [4] collects fifteen contributions, included ours. In this 
section we give a brief account of the different approaches, filtering them through the perspective of the 
first task of the Challenge. Notice that we do not discuss here those works that employ the pure de Bruijn 
representation, because, according to the POPLmark document [3], it violates the "reasonable overhead" 
primary metric of success test. Nevertheless, de Bruijn's technique can be taken into account to measure 
the progress of alternative representations, and its positive sides may be combined to novel ones. 

An approach that keeps de Bruijn indices to represent bound variables, together with (first-order) 
names to manage free variables, is known as locally nameless representation. This was first experimented 
in Coq by Leroy IT261 1271 . then refined by Chlipala (S), Chargueraud OH, and ported to the Mat it a 
proof assistant by Ricciotti [35]. As de Brujin indices represent variables by positions relative to the 
enclosing binders, there is no need to introduce a -equivalence for bound variables; on the other hand, 
two substitutions of types (for indices and names) have to be managed. Explicit environments are defined, 
and well-formedness of environments and types are introduced to describe the main subtyping concept. 

The opposite encoding choice is made by Stump [37], who represents in Coq bound variables via 
names and free variables via de Bruijn indices, by taking advantage from the Barendregt variable con- 
vention, which assumes that bound and free variables come from disjoint sets. 

Higher-Order Abstract Syntax (HOAS) encodings are closer to ours; we find an hybrid solution in 
ATS (commented on later in the section), and two full HOAS formalizations, in Abella and Twelf. 

The work carried out by Gacek in Abella lUTl [T8 l introduces a canonical HOAS representation of 
System F <: 's types (notice, in particular, the signature of the universal constructor "V", named all): 

ty type . 
top ty. 

arrow ty -> ty -> ty. 

all ty -> (ty -> ty) -> ty. 

Since variables are represented by metavariables of type ty, the extra specification logic judgment 
bound :ty->ty->o has to be defined to cope with the environment assumptions, and a (simplified) envi- 
ronment well-formedness predicate ctx : olist->prop is introduced to reason about subtyping. Finally, 
to make structural induction on System F <: 's types feasible, a predicate wf ty : ty->prop is added. 

The formalization carried out at Carnegie Mellon University within the Twelf system 0]] uses the 
same signature for the syntax of System F< : 's types (here, the universal constructor is named f orall): 
tp: type. . . . 

f orall: tp -> (tp -> tp) -> tp. 
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Again, the environment assumptions require a distinguished judgment, assm:tp->tp->type, but, dif- 
ferently from the Abella approach, there is no explicit environment to reason on subtyping; instead, an 
extra judgment var : tp->type is defined, to "mark" the types which play the role of variables. 

Summing up, variables are represented by Abella's and Twelf 's metavariables belonging to the types 
ty and tp, which are introduced to encode the syntax of System F< : 's types. Differently, we adopt a 
weak HOAS approach, by choosing a separate, parametric type Var for representing variables: 

Parameter Var: Set. 
Inductive Tp: Set := ... 
fa: Tp -> (Var -> Tp) -> Tp. 

In this way, we keep the advantage of delegating a-conversion and substitution of variables for variables 
to the metalanguage, while retaining Coq's built-in induction principle for Tp. Of course, in Abella and 
Twelf one has the extra possibility of delegating the substitution of types for variables, while we should 
write an ad-hoc predicate. However, this kind of substitution is not required to deal with subtyping. 

Also the solution proposed by Urban and coworkers in Isabelle [39], and based on the Nominal 
(Logic) datatype package, is quite related to our approach. The signature of types is the following: 

atom — decl tyvrs 
nominal — datatype ty = 

Tvar tyvrs 
I Top 

| Arrow ty ty ( > - [100, 100] 100) 

| Forall <C tyvrs 3> ty ty 

In this formalization type variables are represented by atoms, therefore System F <: 's "V" binder is en- 
coded via the abstraction operator <C . . . S>. . . ; this allows to prove that a-equivalent types are equal. 
Then, a measure on the size of types and the notion of capture-avoiding substitution are defined. 

We remark that the intrinsic concepts of finite support and freshness play in Nominal Logic a role 
which is similar to that of occurrence (isin) and non-occurrence (notin) predicates, which are bundled 
with our axioms of the Theory of Contexts (ToC). Actually, this is not fortuitous, since in ||29l the relation 
between the intuitionistic Nominal Logic and the Theory of Contexts is clearly explained by means of a 
translation of terms, formulas and judgments of the former into terms and propositions of the CC , via 
a weak HOAS encoding. It turns out that the (translation of the) axioms and rules of the intuitionistic 
Nominal Logic are derivable in CC Ind extended with the Theory of Contexts (CC Ind + ToC). 

An alternative high-level encoding technique exploits nested datatypes for representing the variable 
binder in Coq l20ll2T1l . This approach, whose characteristic feature is the encoding of the "V" operator 
(Uni in the following predicate), is named nested abstract syntax by its authors: 

Inductive ftype (V:Type): Type := ... 
I Uni: ftype V -> ftype "V -> ftype V. 

where the type "V, rendered by the option datatype, denotes V extended with a new "fresh" element: 

Inductive option (V:Type): Type := Some: V -> option V 

I None: option V. 

The main advantages consist of retaining the induction and recursion principles provided by Coq and 
providing a categorical interpretation of the whole approach. On the other hand, as the heavy use of 
dependent typing is not always supported by Coq, ad-hoc techniques have to be picked out. 
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Xi's hybrid solution in ATS [40] combines HOAS (for types) with de Bruijn indices (for environ- 
ments). ATS is a powerful programming language, featuring dependent and linear types and supporting 
theorem proving. However, in this case it is not possible to state a meaningful comparison with our work, 
because Xi's contribution does not address the first part of the Challenge. 

Another approach which addresses a different part of the Challenge is due to Fairbairn and carried out 
in Alpha-Prolog lTT5ll . with a complementary parser and pretty printer written in OCaml. More precisely, 
this work provides a nominal-style formalization of System F <: with records and patterns, allowing the 
user to "animate" the language, i.e., to explore the language properties on specific examples. 

6 Conclusion 

Carrying out our weak HOAS formalization of System F <: 's pure type language in Coq, we have tried to 
stick to the POPLmark primary metrics of success (see Q). 

• Correctness. In Section [3] we have given an alternative presentation of System F< : 's subtyping 
concept, thus yielding a system which is equivalent to the original one (as stated by Theorem [TJ, 
but at the same time closer to the final formalization in CC Ind . In other words, the translation from 
the system "on paper", presented in Section[3j to its formal counterpart in Section|4]is, except for 
the use of weak HOAS, a matter of syntactic sugar. 

• Reasonable overhead. The weak HOAS encoding approach, together with the (suitable instanti- 
ation of the) Theory of Contexts, provides a smooth treatment of the (type) variable binder, and 
frees the user from the burden of dealing with low-level mechanisms about variable^] In fact, 
bound variables are automatically dealt with by the metalanguage of Coq, which transparently re- 
names them to avoid clashes with free ones. At the same time, our formalization allows the user 
to keep benefiting from the inductive features of CC Ind , that is, recursion and induction principles. 
Remarkably, the Theory of Contexts grants the extra ability to handle and reason about contexts 
(i.e., higher-order terms), lifting structural information to the level of functional terms. 

• Transparent technology. In our opinion, both the formal representation of System F <: 's type lan- 
guage and the encoding of fundamental theorems' statements are easily readable and very close 
to their informal counterparts. Even the axioms of the Theory of Contexts are reminiscent of 
properties that are commonly taken for granted, working with "paper and pencil". 

• Reasonable cost of entry. The Coq system is one of the most used proof assistants based on type 
theory; it is well-documented, and the provided tutorial allows everyone who is knowledgeable 
about programming language theory to use fruitfully the proof assistant, after a reasonable training 
effort, for the goals within the Challenge. More specifically, the Theory of Contexts may be 
injected in Coq without the need of any redesign of the system; moreover, as we have already 
pointed out, such a theory is rather easy to add on top of a signature, since it is syntax-driven. 

Concluding, we stress that, even we have not pursued neither optimization (of our encoding) nor 
competition (with the alternative onesQ our formalization is still effective and very terse, in spite of lack 
of support for HOAS encodings in Coq. Actually, the source code of the development preliminary to the 
main goal is 33.4 KB long, including 12.7 KB required to manage the type environment; also the main 

6 Namely, a-conversion and capture-avoiding substitution of variables for variables. 

7 In fact, our contribute is the first weak HOAS solution submitted to the POPLmark Challenge: as such, the spirit of our 
work is essentially to close a gap, and at the same time a first effort towards more ambitious goals (stated by the Challenge). 
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proof (Reflexivity, Transitivity and Narrowing) is rather compact (it is about 16 KB long), and it follows 
closely the trace of its "informal" counterpart, carried out "on paper". 
From a pragmatic point of view, we want just to add two remarks. 

First, we have suffered a little from the lack of "smart" support for nested inductions, having to 
rearrange the goal statement and to enrich it with suitable equalities, to correctly "purge" the inconsistent 
cases automatically generated by the nested application of the induction tactic. 

Second, we have spent almost the 40% of the preliminary script to handle the type environment, 
which could be seen as an overhead. In fact, we plan to investigate in future work the possibility to drop 
the list machinery used to represent the type environment, by adopting instead the bookkeeping technique 
|[28l[T0l l9l[TTi. with a "global" environment and local hypotheses modeled via hypothetic judgments. 
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